#!/bin/bash -e
# FWIW "-e" tries to exit right away on error:
# https://tldp.org/LDP/abs/html/options.html
# https://stackoverflow.com/questions/9952177/whats-the-meaning-of-the-parameter-e-for-bash-shell-command-line/9952249

# PLZ SEE http://FAQ.IIAB.IO > "What is Ansible and what version should I use?"
# https://github.com/iiab/iiab/wiki/Technical-Contributors-Guide#female_detective-understanding-ansible

APT_PATH=/usr/bin     # Avoids problematic /usr/local/bin/apt on Linux Mint
CURR_VER=undefined    # Ansible version you have installed, e.g. [core 2.20.0]
GOOD_VER=2.20.0       # Orig for 'yum install [rpm]' & XO laptops (pip install)

# 2021-06-22: The apt approach (with PPA source in /etc/apt/sources.list.d/ and
# .gpg key etc) are commented out with ### below.  Associated guidance/comments
# are intentionally preserved.

# 2021-05-19 PR #2743: As a result of Ansible / Red Hat / IBM's extensive
# delays in publishing the PPA (.deb installer files) for ansible-core, this
# file bypasses the apt approach (and associated PPA source) in favor of:
#
# pip3 install --upgrade ansible-core

# 2021-02-25: Latest 'ansible-base' was being installed from PPA, using either
# OS 'CODENAME' below: https://launchpad.net/~ansible/+archive/ubuntu/ansible

# 'lsb_release -sc' gives Mint 20 codename 'ulyana' etc: (TOO FINE-GRAINED)
###if grep -q buster /etc/os-release /etc/debian_version; then
###    CODENAME=bionic    # Debian 10, RasPiOS 10 & Buster-like distros
###else
###    CODENAME=focal     # Debian 11+, RasPiOS 11+, Ubuntu 20.04+, Mint 20+ (ETC)
###fi

# APRIL 2021 - ansible-base (2.10) was renamed to ansible-core (2.11+):
# https://www.ansible.com/blog/ansible-3.0.0-qa
# https://github.com/ansible/ansible/tags
# https://github.com/ansible/ansible/releases
# https://github.com/ansible/ansible/commits/stable-2.20
# https://github.com/ansible/ansible/blob/stable-2.20/changelogs/CHANGELOG-v2.20.rst
# https://github.com/ansible/ansible/commits/stable-2.19
# https://github.com/ansible/ansible/blob/stable-2.19/changelogs/CHANGELOG-v2.19.rst
# https://github.com/ansible/ansible/commits/stable-2.18
# https://github.com/ansible/ansible/blob/stable-2.18/changelogs/CHANGELOG-v2.18.rst
# https://github.com/ansible/ansible/commits/stable-2.17
# https://github.com/ansible/ansible/blob/stable-2.17/changelogs/CHANGELOG-v2.17.rst
# https://github.com/ansible/ansible/commits/stable-2.16
# https://github.com/ansible/ansible/blob/stable-2.16/changelogs/CHANGELOG-v2.16.rst
# https://github.com/ansible/ansible/commits/stable-2.15
# https://github.com/ansible/ansible/blob/stable-2.15/changelogs/CHANGELOG-v2.15.rst
# https://github.com/ansible/ansible/commits/stable-2.14
# https://github.com/ansible/ansible/blob/stable-2.14/changelogs/CHANGELOG-v2.14.rst
# https://github.com/ansible/ansible/commits/stable-2.13
# https://github.com/ansible/ansible/blob/stable-2.13/changelogs/CHANGELOG-v2.13.rst
# https://github.com/ansible/ansible/commits/stable-2.12
# https://github.com/ansible/ansible/blob/stable-2.12/changelogs/CHANGELOG-v2.12.rst
# https://pypi.org/project/ansible-core/
# https://pypi.org/project/ansible-base/ (OLD)
# https://releases.ansible.com/ansible-core/ (OLD)
# https://releases.ansible.com/ansible-base/ (OLD)
# https://launchpad.net/~ansible
# https://launchpad.net/~ansible-gha
# https://launchpad.net/~ansible/+archive/ubuntu/ansible
# https://launchpad.net/~ansible/+archive/ubuntu/ansible/+packages
# https://launchpad.net/~ansible/+archive/ubuntu/ansible-2.10 (OLD)
# http://ppa.launchpad.net/ansible/ansible/ubuntu/pool/main/a/ansible/ (OLD)
# http://ppa.launchpad.net/ansible/ansible/ubuntu/pool/main/a/ansible-core/

# FYI .travis.yml installs ansible-core in a slightly different way (PRs #2689 & #2743)

# IIAB implementers might instead consider these 4 GENERAL TECHNIQUES below
# ("in an emergency!") e.g. if apt fails & you need a newer/older Ansible:

# TEMPORARILY USE pip3 to install the latest ansible-core as listed at
# https://pypi.org/project/ansible-core/ (REMOVE W/ "pip3 uninstall ansible-core")
#apt install python3-pymysql python3-psycopg2 python3-passlib python3-pip python3-setuptools python3-packaging python3-venv virtualenv
#pip3 install --upgrade ansible-core    # Then start a new shell, so /usr/local/bin works
#ansible-galaxy collection install -r collections.yml

# TEMPORARILY USE ansible-base 2.10.17 (REMOVE W/ "pip3 uninstall ansible-base")
#apt install python3-pip
#pip3 install ansible-base==2.10.17   # Start new shell, so /usr/local/bin works

# TEMPORARILY USE ANSIBLE 2.9.27 (REMOVE IT WITH "pip3 uninstall ansible")
#apt install python3-pip
#pip3 install ansible==2.9.27

# TEMPORARILY USE ANSIBLE 2.4.2 DUE TO 2.4.3 MEMORY BUG. Details: iiab/iiab#669
#echo "Install https://download.iiab.io/packages/ansible_2.4.2.0-1ppa~xenial_all.deb"
#cd /tmp
#wget https://download.iiab.io/packages/ansible_2.4.2.0-1ppa~xenial_all.deb
#apt -y --allow-downgrades install ./ansible_2.4.2.0-1ppa~xenial_all.deb

export DEBIAN_FRONTEND=noninteractive
# Why 'noninteractive' appears needed:
# https://github.com/iiab/iiab/issues/564#issuecomment-347264985

echo -e "\n\nYOU ARE RUNNING: /opt/iiab/iiab/scripts/ansible (TO INSTALL ANSIBLE ETC)\n"
#echo -e 'Alternative:     /opt/iiab/iiab/scripts/ansible-2.9.x ("Slow Food")\n'

echo -e "RECOMMENDED PREREQUISITES:"
echo -e "(1) Verify you're online"
echo -e "(2) Remove all prior versions of Ansible using..."
echo -e "    'apt purge ansible-core'  and/or  'pip3 uninstall ansible-core'  and/or"
#echo -e "    'apt purge ansible-base'  and/or  'pip3 uninstall ansible-base'  and/or"
echo -e "    'apt purge ansible'       and/or  'pip3 uninstall ansible'"
#echo -e "(3) Remove all lines containing 'ansible' from..."
#echo -e "    /etc/apt/sources.list and /etc/apt/sources.list.d/*\n"

#echo -e "IIAB INSTALL INSTRUCTIONS: (OLDER, MANUAL APPROACH)"
#echo -e "https://github.com/iiab/iiab/wiki/IIAB-Installation#do-everything-from-scratch\n"

if command -v ansible > /dev/null; then    # "command -v" is POSIX compliant; also catches built-in commands like "cd"
    CURR_VER=$(ansible --version | head -1 | cut -f 2- -d " ")
    # Above works with 'ansible [core 2.11.0rc2]' -- these old ways do not:
    #CURR_VER=$(ansible --version | head -1 | awk '{print $2}')
    #CURR_VER=$(ansible --version | head -1 | sed -e 's/.* //')
    echo -e "CURRENTLY INSTALLED ANSIBLE: $CURR_VER -- LET'S TRY TO UPGRADE IT!"
else
    echo -e "ANSIBLE NOT FOUND ON THIS COMPUTER -- LET'S TRY TO INSTALL IT!"
fi
echo -e "(Internet-in-a-Box requests ansible-core $GOOD_VER or higher)\n"

# Code above designed to work on all Linux distributions, to preserve options,
# in support of any volunteer(s) wanting to port IIAB to a new Linux/distro.
if [ ! -f /etc/debian_version ]; then    # e.g. RasPiOS, Ubuntu, Mint & Debian
    echo -e "\nEXITING: /etc/debian_version FILE NOT FOUND.  Linux OS support info here:"
    echo -e "           https://github.com/iiab/iiab/wiki/IIAB-Platforms\n"
    exit 1
fi

# If OS is Trisquel, make python3-pip and python3-pip-whl ("what's really
# needed") available, and change AppArmor to enable php-fpm writing to disk.
grep -qx 'ID=trisquel' /etc/os-release && \
/opt/iiab/iiab/scripts/trisquel-profile-setup.sh

# 2021-04-26: JV & @holta WIP.  The apt-key command is going away, and the past
# practice of putting keys in /etc/apt/trusted.gpg.d is considered insecure:
# https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.html
# https://askubuntu.com/questions/1286545/what-commands-exactly-should-replace-the-deprecated-apt-key/1307181#1307181
# So we put .gpg key in repo iiab/iiab, also for reliable installs/containers.

#echo -e "\napt update; install dirmngr; PPA to /etc/apt/sources.list.d/iiab-ansible.list\n"
#$APT_PATH/apt update
#$APT_PATH/apt -y install dirmngr
#echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu $CODENAME main" \
###echo "deb [signed-by=/usr/share/keyrings/iiab-ansible-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu $CODENAME main" \
###     > /etc/apt/sources.list.d/iiab-ansible.list

# 2022-11-09: ansible-core 2.12.10+ PPA works on 32-bit RasPiOS, until upstream wheels -> cryptography is fixed (PR #3421)
#echo "deb [signed-by=/usr/share/keyrings/iiab-ansible-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu focal main" \
#     > /etc/apt/sources.list.d/iiab-ansible.list

# In future we might instead consider 'add-apt-repository ppa:ansible/ansible'
# or 'apt-add-repository ppa:ansible/bionic/ansible' etc, e.g. for streamlined
# removal using 'apt-add-repository -r' -- however that currently requires
# 'apt install software-properties-common' which drags in a dozen packages we
# might not want, e.g. unattended-upgrades, packagekit etc.

# 2020-08-20: TEMP WORKAROUND (REVERT TO ANSIBLE 2.9.6) MITIGATING
# iiab/iiab#2481 (Ansible 2.9.12 and 2.10.0's 666-TO-600 file permissions
# problem).  This workaround installs 2.9.6-1ppa~disco onto RasPiOS, from
# https://launchpad.net/~ansible/+archive/ubuntu/ansible
#echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu disco main" \
#    > /etc/apt/sources.list.d/iiab-ansible.list

# 2021-04-26: JV & @holta WIP: (see above)
#echo -e '\nIF YOU FACE ERROR "signatures couldn'"'"'t be verified because the public key is not available" THEN REPEATEDLY RE-RUN "sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 93C4A3FD7BB9C367"\n'
#apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 93C4A3FD7BB9C367
###cp /opt/iiab/iiab/scripts/iiab-ansible-keyring.gpg /usr/share/keyrings/iiab-ansible-keyring.gpg
#chmod 644 /usr/share/keyrings/iiab-ansible-keyring.gpg

# 2022-11-09: ansible-core 2.12.10+ PPA works on 32-bit RasPiOS, until upstream wheels -> cryptography is fixed (PR #3421)
#cp /opt/iiab/iiab/scripts/iiab-ansible-keyring.gpg /usr/share/keyrings/iiab-ansible-keyring.gpg

###echo -e 'PPA source "deb [signed-by=/usr/share/keyrings/iiab-ansible-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu '$CODENAME' main"'
###echo -e "successfully saved to /etc/apt/sources.list.d/iiab-ansible.list\n"
###echo -e "IF *OTHER* ANSIBLE SOURCES APPEAR BELOW, PLEASE MANUALLY REMOVE THEM TO"
###echo -e 'ENSURE ANSIBLE UPDATES CLEANLY: (then re-run this script to be sure!)\n'
###grep '^deb .*ansible' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | grep -v '^/etc/apt/sources.list.d/iiab-ansible.list:' || true    # Override bash -e (instead of aborting at 1st error)

#echo -e "\napt update; apt install python3-pip    # Also installs 'python3-setuptools' and 'python3' etc"
#echo -e "https://github.com/iiab/iiab/blob/master/scripts/ansible.md\n"
#$APT_PATH/apt update
#$APT_PATH/apt -y install python3-pip

# 2021-07-29:
# 'python3-packaging' dropped for now
# 'python3-pymysql' (drags in 'python3' which drags in 'python3-venv' on Debian 11 but not on Ubuntu 20.04) -- moved to roles/mysql/tasks/install.yml
# 'python3-psycopg2' moved to roles/postgresql/tasks/install.yml
# 'python3-passlib' moved to roles/munin/tasks/install.yml
# 'python3-venv' moved to roles/2-common/tasks/packages.yml
# 'virtualenv' for Python 2 moved to roles/kalite/tasks/install.yml
#
#$APT_PATH/apt -y install \
#              python3-pymysql python3-psycopg2 python3-passlib python3-pip \
#              python3-setuptools python3-packaging python3-venv virtualenv

#$APT_PATH/apt -y --allow-downgrades install ansible-core

# 2021-10-30: Using pip is messy, leaving behind cached files, so turn off pip
# cache system-wide before installing:
# https://stackoverflow.com/questions/9510474/removing-pips-cache/61762308#61762308
# https://github.com/iiab/iiab/pull/3022
#pip3 config --global set global.no-cache-dir false

#if ! uname -m | grep -q 64; then
    # echo "2022-11-09: ansible-core 2.12.10+ PPA works on 32-bit RasPiOS, using /etc/apt/sources.list.d/iiab-ansible.list, until upstream wheels -> cryptography is fixed (PR #3421)"
    # $APT_PATH/apt -y --allow-downgrades install ansible-core
#    echo -e "\n\n'pip3 install cryptography==39.0.2' will now run:\n"
#    pip3 install --break-system-packages cryptography==39.0.2 || pip3 install cryptography==39.0.2    # PR #3459 https://www.piwheels.org/project/cryptography/ -- WAS 37.0.4 which as of 2023-01-06 was the "latest compatible with ansible-core available via piwheels.org"
#fi

#echo -e "\n\n'pip3 install --upgrade ansible-core' will now run:\n"                                   # REMINDER: ansible-core 2.12 (released 2021-11-08) requires Python >= 3.8
#pip3 install --break-system-packages --upgrade ansible-core || pip3 install --upgrade ansible-core    # PR #3493: Revert to old syntax if pip < 23.0.1, as flag --break-system-packages (for Python 3.11+ / PEP 668) is brand new in Feb 2023: https://github.com/pypa/pip/pull/11780

echo -e "\napt update; apt install python3-venv"
$APT_PATH/apt update
$APT_PATH/apt -y install python3-venv

# 2023-09-08 PR #3634: 'apt install ansible-core' is overweight, but works on
# "32-bit" RasPiOS 12 (@EMG70 set 'arm_64bit=0' in /boot/config.txt per #3516
# to force boot its 32-bit kernel; its 64-bit kernel should work too!)
# IN SHORT: This ugly hack appears sufficient for all "32-bit" Bookworm+ OS's
# (similar to 32-bit Debian 12 on AMD/Intel a month ago, i.e. PR #3617).
# 2023-09-10 PR #3637: Even safer test than querying for Debian 12+ -- verify
# that apt package ansible-core is truly available:
#if ! dpkg --print-architecture | grep -q 64 && apt-cache show ansible-core > /dev/null; then
#if ! dpkg --print-architecture | grep -q 64 && ! grep -q ^11 /etc/debian_version; then
# 2023-09-10 PR #3632: Revert above #3634 and #3637 trying /etc/pip.conf w/ cryptography 41.0.3
if [[ $(dpkg --print-architecture) == "i386" ]] && apt-cache show ansible-core > /dev/null; then
    # 2023-08-10 #3613/#3615/#3617: apt-not-pip kludge for legacy 32-bit i386
    # (DEBIAN 12+ ETC) avoids #3547 rust/wheels/cryptography compiling mess!
    $APT_PATH/apt -y install ansible-core    # Bookworm ~= ansible-core 2.14.3
else
    # 2023-03-22: OS's like Ubuntu 23.04 and Debian 12 (e.g. with Python 3.11+) ask
    # that virtual environments (venv) be used to safely isolate pip installs:
    # https://peps.python.org/pep-0668

    # 2023-09-08: NEW WAY ANSIBLE RECOMMENDS?  https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
    # $APT_PATH/apt -y install pipx    # Typically adds 50+ packages!
    # pipx install ansible-core
    # pipx ensurepath    # Adds /root/.local/bin to $PATH -- next time you open a shell -- e.g. for /root/.local/bin/ansible -> /root/.local/pipx/venvs/ansible-core/bin/ansible
    # Or, to install package globally for multi-user access: (pypa/pipx#754)
    # PIPX_HOME=/opt/pipx PIPX_BIN_DIR=/usr/local/bin pipx install ansible-core

    # 2023-10-11: RasPiOS Bookworm doc for Python with venv (PEP 668 now enforced!)
    # https://www.raspberrypi.com/documentation/computers/os.html#python-on-raspberry-pi
    # https://www.raspberrypi.com/documentation/computers/os.html#using-pip-with-virtual-environments

    echo -e "\nCreate virtual environment for Ansible"
    python3 -m venv /usr/local/ansible

    # 2023-09-10: Work around #3526 "32-bit" RasPiOS 12 pre-release issue...
    # 'Package issue: cryptography 41.0.3 leads to cffi 1.15.1 failure on
    # "32-bit" Raspberry Pi OS [REASON: /etc/pip.conf missing on some Bookworm
    # pre-releases' == https://github.com/piwheels/packages/issues/390
    if ! [ -f /etc/pip.conf ] && [ -f /etc/rpi-issue ]; then
        cat > /etc/pip.conf << EOF
[global]
extra-index-url=https://www.piwheels.org/simple
EOF
    fi

    # "if not ubuntu" (covers RasPiOS & Debian) would also work, but is overbroad:
    # if ! grep -qi ubuntu /etc/os-release; then
    #
    # if [ -f /etc/rpi-issue ] && [[ $(dpkg --print-architecture) == armhf ]]; then
    #
    # 2023-03-24 #3547 similar to #3459 re: cryptography, piwheels, rust.
    # Release problems chart: https://www.piwheels.org/project/cryptography/
    # if ! dpkg --print-architecture | grep -q 64; then     # 32-bit in general!
    # 2023-09-07: Commenting out cryptography 40.0.1 below, as @EMG70 evaluates
    #             new upstream piwheels fix (e.g. cryptography 41.0.3 for now)
    #             on pre-release 32-bit RasPiOS 12... (#3526)
    # if [[ $(dpkg --print-architecture) == armhf ]]; then    # 32-bit ARM
    #     # 2023-09-30: cryptography 40.0.1 and 41.0.4 both fail for now, see #3650
    #     $APT_PATH/apt -y install libffi-dev python3-dev
    #     /usr/local/ansible/bin/python3 -m pip install cryptography==41.0.3
    #     # else
    #     # 2023-08-10: 'apt install rustc pkg-config libssl-dev' was not enough!
    #     # So we use apt to install cryptography 38.0.4 for Debian 12.1 -- where
    #     # `dpkg --print-architecture` was i386 and `uname -m` was i686:
    #     #     $APT_PATH/apt -y install python3-cryptography
    # fi

    # 2023-05-22: 2.14.6 was better than 2.15.0 for FreePBX (#3588, ansible/ansible#80863)
    # 2023-10-01 #3650: --prefer-binary or --only-binary ensure you get wheels,
    # even if they're not the very latest release -- thereby avoiding compiling
    # messes -- and obviating the need for these 2: (above, both commented out)
    # - 'apt -y install libffi-dev python3-dev'
    # - painstaking pinning of cryptography or cffi (etc) to older version #s
    /usr/local/ansible/bin/python3 -m pip install --prefer-binary --upgrade ansible-core
    echo -e "\nCreate symlinks /usr/local/bin/ansible* -> /usr/local/ansible/bin/ansible*"
    cd /usr/local/ansible/bin
    for bin in ansible*; do
	ln -sf /usr/local/ansible/bin/"$bin" /usr/local/bin/"$bin"
    done
fi

# (Re)running collection installs appears safe, with --force-with-deps to force
# upgrade of collection and dependencies it pulls in.  Note Ansible may support
# explicit upgrading of collections (--upgrade / -U flag) in version "2.11"
# with PR ansible/ansible#73336.  See also IIAB PRs #2647 #2652 #2653 #2655.
echo -e "\n\nIIAB requires these ~4 Ansible Collections: (we upgrade them here if possible!)\n"
ansible-galaxy collection install --force-with-deps \
               -r /opt/iiab/iiab/collections.yml \
               -p /usr/share/ansible/collections
# 2021-02-24: 'ansible-galaxy collection list' lists those installed. (#2659)
# 2020-11-28: The ~3 Ansible Collections used by IIAB (~37MB) once lived here:
#    /root/.ansible/collections/ansible_collections
# But going forward they'll be stored herein: [~24MB for 4 Collections as of 2021-05-19]
#    /usr/share/ansible/collections/ansible_collections

# 2021-04-19: No longer needed, per PR #2743 testing
#echo -e "\n\nCreating/verifying directory /etc/ansible & installing /etc/ansible/hosts\n"
#mkdir -p /etc/ansible    # LIKELY REDUNDANT, due to above installation of Ansible
#echo -e '[local]\nlocalhost\n' > /etc/ansible/hosts    # LIKELY REDUNDANT, due to https://github.com/iiab/iiab/blob/master/ansible_hosts

echo -e "\n\nSUCCESS!  PLEASE VERIFY ANSIBLE WITH COMMANDS LIKE:\n"
echo -e "    ansible --version"
echo -e "    /usr/local/ansible/bin/pip3 show ansible-core"
echo -e '    apt -a list "ansible*"'
echo -e "    ansible-galaxy collection list\n\n"
#echo -e "WARNING: Start a new Linux shell, if it changed from /usr/bin to /usr/local/bin\n\n"
